As a health care compliance attorney for more than 12 years, I may not have seen it all, but I’ve definitely seen a lot. An unfortunate, yet common, pattern is a lack of compliance with some of the most basic state and federal regulations. There are some documents and practices that are required to be compliant with the Health Insurance Portability and Accountability Act. These are considered to be a part of the entity’s basic HIPAA infrastructure. When entities fail to provide evidence of these basic elements of a HIPAA-compliant program, one must ask themselves if that entity is unable or unwilling to follow the regulations.

One of the most common issues is an entity’s failure to show evidence of their HIPAA Privacy and Security Officer designations. Health care providers are specifically required to designate Privacy and Security Officials. These individuals are responsible for developing HIPAA policies and procedures for the entity and ensuring adherence to the regulations.[1] These designations must be in writing.[2]

Privacy Officer Designee

The Privacy Officer is responsible for developing and implementing HIPAA policies and procedures. These responsibilities include ensuring that the entity is compliant with the HIPAA Privacy Rule and Breach Notification Rule, as well as other applicable state and local laws. Their duties may include, but are not limited to, the following:

Receiving and processing requests made in accordance with Patient’s Rights and the Notice of Privacy Practices;

Ensuring that the workforce is receiving adequate HIPAA training annually and refresher training, when applicable;

Recommending disciplinary action for workforce members who violate HIPAA regulations;

Oversight of Business Associate relationships and Business Associate Agreements; and

Ensuring that HIPAA-related documents are maintained by the entity for a period of at least six (6) years.

Security Officer Designee

The Security Officer is responsible for ensuring that the entity is compliant with the HIPAA Security Rule and the development and implementation of HIPAA policies and procedures that relate specifically to ePHI. Their duties include, but are not limited to:

Ensuring that an appropriate and adequate Risk Analysis is performed, at least annually;

Developing or updating the entity’s Business Continuity Plan;

Ensuring the adequacy of the entity’s Disaster Recovery and Incident Response plans; and

Ensuring that HIPAA-related documents are maintained by the entity for a period of at least six (6) years.

It is also worth noting that the Alabama Breach Notification Act of 2018 also requires the designation of a Security Official. The statute specifically requires that covered entities designate “an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security.”[3]

Workforce Members Should Readily Identify Privacy and Security Officials

It is extremely important that workforce members be able to readily identify the Privacy and Security Officials for their entity. It is necessary for them to know whom they should consult for several reasons. First, if they have questions regarding the HIPAA policies and procedures, they should know who they should turn to in order to gain clarity. Second, as HIPAA-related complaints arise, it is necessary for them to identify individuals within their entity who can resolve those complaints in a manner that is both helpful to the complainant and in accordance with the regulations. Often, if matters can be resolved by the Privacy or Security Officers then patients/clients won’t find it necessary to contact the Department of Health and Human Services (HHS) to address their issue(s). Third, when workforce members know with whom to discuss HIPAA-related matters, it provides the opportunity for Privacy and Security Officials to gain a broader understanding of the HIPAA Privacy and Security issues within their organization. Instead of workforce members attempting to resolve issues based on their limited understanding of the regulations, they instead have a point of contact who can appropriately address their issues and ensure that HIPAA-related matters are addressed with an appropriate level of consistency within the organization.

Privacy and Security Officers Often Wear Multiple Hats

Health care providers must designate Privacy and Security Officers regardless of the size of the organization. Larger organizations normally have Privacy and Security Officials who serve in those capacities full-time. Smaller entities, more often than not, assign these responsibilities to individuals who have other job functions. Examples include an office manager, information technology professional or other designee the entity determines can adequately handle the responsibilities.

It is important that all health care entities ensure that they have not simply considered personnel to fill the role of the Privacy and Security Officials within their organization, but that those designations are in writing and communicated to their workforce. These individuals should receive adequate and on-going training to ensure that they are abreast of any changes to state or federal regulations that may impact their entity.

For additional information on Privacy and Security Officer Designations or for assistance with drafting job descriptions for these individuals, health care providers should consult a health care compliance professional.